Good news ! Hackbusters community is waiting for you !  https://discuss.hackbusters.com
KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We are expanding it and have launched a new exciting online community! The forum is divided into four main topics or categories: Social Engineering, Ransomware, Phishing and Security Awareness Training. You are invited to be one of the first to join us at: https://discuss.hackbusters.com.

2FA codes can be phished by new pentest tool

Shutterstock_669542029-compressor

With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.

The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.

But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.

The user thinks they are interacting with the real site because they are – Modlishka,meanwhile, proxies all of this without the user realising.

A video demo shows how Modlishka could be used to phish a Google user but it could just...(continued)

View All Trending Stories